Rogue Access Points
Originally Posted by Entropius
...turn SSID broadcast off so it won't show up in any scans they run.
I'm a UNIX and network admin for a living. SSID scanning is only the first thing you do in finding rogue access points.
With the right software, you will see the wireless networks that are not advertising their SSID, too. Then you do some basic triangulation, or as I liked to call it, "hot/cold" checks. Buildings frequently reflect signals weirdly, but you can normally figure out what floor a rogue AP is on, which wing of that floor, and the location within 10-30 meters or so.
The next step for checking for a rogue access point is to do some log analysis at your switch(es) for that wing. Look at the MAC addresses connecting. Most access points have well-publicized MAC ranges they use. You can also do this at your DHCP server, if you have access to it. Just grep through the MAC log and look for the octets which likely indicate an access point. They are very easily recognizable, and since most people just plug their rogue AP into a wall jack, they're about as obvious in the logs as an elephant in your living room.
OK, so you know the wing. You know the floor. You know which switch they are connected to (maybe). Hit your port wiring diagrams, and you'll find the cube (or room) they're coming from. Walk over and have a quiet chat with them, if possible. Discuss it with their manager (if corporate; I'd guess their RA if it's a college) if that is what your security policies require. Go on with life, and keep a close eye on that infringer for a few months.
People can be sneaky, though. For instance, they can hide their access point behind a legitimate computer acting as a proxy gateway for their wireless network (usually, Windows connection sharing). Well, at that point, WEP-cracking becomes kind of important. Crack their WEP key. See if you can see what the traffic is that's going over. Hop onto your firewall or intrusion-detection system, and grep through the log for some keywords from the traffic log you got from cracking the WEP key and sniffing the traffic. Normally, this will net you some positives; you can see the IP, run an "nmblookup -A" (if using SAMBA) to see the hostname and currently logged-in user of the Windows box, and then track down via DHCP logs or the username (if recognizable) where the machine lives.
Of course, you can also just block that IP from going through the firewall, and wait for the support call, too...
If they're really savvy, it will be a Linux or BSD box. That could be more interesting
Now, the really sneaky people would use WPA behind a proxy legitimate box. Can't crack WPA yet, and you can't tell by the MAC that there's an access point there since it's either being proxied or NAT'd. So you're stuck with only being able to roughly triangulate the location of the rogue access point to within about 100 square meters or so. At that point, it comes down to hunting and figuring out whether it's worth your time. You might be able to find it, or you might not. Signal strengths indoors are not a reliable triangulation method, because strength drops off irregularly due to structural blocks. But you can sometimes find it.
It's even more frustrating when they're a person who only turns on their access point when they're using it, and they turn it off when they're done. You can't hunt late at night, and you don't have unlimited time to figure out where the rogue AP is. However, if a user is using WPA, proxies behind a legit box, and shuts it off when they're not using it, then I just chalk up a victory for the security-mindedness of the individual who set up the AP. Because that's the same way I'd use it if I wanted to run an AP on a network that didn't allow it, and it's an exercise in frustration trying to track it down.
It's basically professional courtesy at that point. I tip my hat, think "good jeaorb Homer", and move on to the next project.
As far as locking down my personal access point in my home in suburbia? I just did 40-bit WEP and a MAC address filter. I monitor everything that happens on my network, so I'd know if someone happens to connect and push some data through. Most folks aren't tech-savvy enough to try to crack a WEP key. If they are, well, I know all my neighbors and know who the one guy is that would be savvy enough to try it. Yeah, I know that some potential malicious person could sniff my traffic. Fact is, we run anything important that could be sniffed through SSL. My family doesn't use file-sharing, really, and any copying I need to do is done through SSH.
Of course, my printer is kind of hanging out there. That's sometimes a worry, that someone would connect and send a few thousand pages to my printer. With its high-capacity bins, that could cost me some money
In this kind of low-security-environment, though, I think it's all that's needed. People respect WEP like they respect windows and door locks. Sure, they can get in if they want to by breaking a window or knocking down a door, but that's not neighborly.
At work, it's another story. WPA, dynamic key assignment, registered computers only, set up behind a firewall from the rest of the network, fascist logging, you name it...